-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-20:09.ntp                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple denial of service in ntpd

Category:       contrib
Module:         ntp
Announced:      2020-03-19
Credits:        Philippe Antoine and Miroslav Lichvar
Affects:        All supported versions of FreeBSD.
Corrected:      2020-03-04 23:54:13 UTC (stable/12, 12.1-STABLE)
                2020-03-19 16:52:41 UTC (releng/12.1, 12.1-RELEASE-p3)
                2020-03-05 00:18:09 UTC (stable/11, 11.3-STABLE)
                2020-03-19 16:52:41 UTC (releng/11.3, 11.3-RELEASE-p7)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The ntpd(8) daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.

II.  Problem Description

Three NTP vulnerabilities are addressed by this security advisory.

NTP Bug 3610:  Process_control() should exit earlier on short packets.
On systems that override the default and enable ntpdc (mode 7), fuzz testing
detected a short packet will cause ntpd to read uninitialized data.

NTP Bug 3596:  Due to highly predictable transmit timestamps, an
unauthenticated, unmonitored ntpd is vulnerable to attack over IPv4. A victim
ntpd configured to receive time from an unauthenticated time source is
vulnerable to an off-path attacker with permission to query the victim.  The
attacker must send from a spoofed IPv4 address of an upstream NTP server and
the victim must process a large number of packets with that spoofed IPv4
address.  After eight or more successful attacks in a row, the attacker can
either modify the victim's clock by a small amount or cause ntpd to
terminate.  The attack is especially effective when unusually short poll
intervals have been configured.

NTP Bug 3592:  The fix for https://bugs.ntp.org/3445 introduced a bug such
that an ntpd can be prevented from initiating a time volley to its peer
resulting in a DoS.

III. Impact

All three NTP bugs may result in DoS or terimation of the ntp daemon.

IV.  Workaround

Systems not using ntpd(8) are not vulnerable.

Systems running ntpd should make the following changes:
- - Disable mode 7
- - Use many trustworthy sources of time
- - Use NTP packet authentication
- - Monitor ntpd for error messages indicating attack
- - If only unauthenticated time over IPv4 is available, use the restrict
  configuration directive

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.1-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.patch.asc
# gpg --verify ntp.12.patch.asc

[FreeBSD 12.1-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.12.1.patch.asc
# gpg --verify ntp.12.1.patch.asc

[FreeBSD 11.3-STABLE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.patch.asc
# gpg --verify ntp.11.patch.asc

[FreeBSD 11.3-RELEASE]
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch
# fetch https://security.FreeBSD.org/patches/SA-20:09/ntp.11.3.patch.asc
# gpg --verify ntp.11.3.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r358659
releng/12.1/                                                      r359144
stable/11/                                                        r358660
releng/11.3/                                                      r359144
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:http://support.ntp.org/bin/view/Main/SecurityNotice#March_2020_ntp_4_2_8p14_NTP_Rele>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:09.ntp.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIoaA//V8fG/ugFkS6ASluls3rsww0gxoVH65HM7SDiPC814cl8ck2DUSMO7lzA
jPAmsLPdrhGrJ7lTndUxuZ5hf0YeI/CgccTWYoPgiZjfXoeHS2ydQVVpM9j2ByNo
KgwqEnRxLaIRBg3+zf7sT/IenC+ivHbPDxrmW4y7ehUQO/fZ3AcXjcAw6PPCzGlp
pN8Jml04uUuD/Nb92IzWGKvLPsL27slWAHG6nPPw0onzqaZqNhFf1UUDK9qvZRNB
2pHO+aJPfRq2kUk2DvfcB4kTGB1jbHJBBRNA1ns2xrtdKKIBnwSBatN/SBznhPuF
nxGN/Y0k8EYJdVOHaoyqSlG31jatAd/TaA9+1JauxB7/29c65JHyAfddtZKY64vl
DVnfDus+fcxg9D5FI7/O9qUeMZ/S1Ix683BzUPYhCDksC+VP28mqCHMBYRdKrc1m
ysnnER8Tli+Zbenn88202+lJAaAI3gKygdzKRQg5FgXWqWi84G1WPs+c8dihpovV
ZG5AqS1gJuwlP72x/g8by7BT140PZIEYaR5Qm7uIlfNTQxNBDmDkCF54wrhAFQWY
XZrOLiOsVJdn6mX9WfPh7kxd59nAjGuy5fKwWF22g5vQsGCGoBHsqZTKPiA+WxVu
Ngqq+8zUMkcTXP7NE3aT+4HDTXi/WRwiEKTGd8zGm5J8bEHXi9I=
=Q4Yq
-----END PGP SIGNATURE-----
